Allion Labs/ Jackson Chen

Vulnerability Detection Foundation of Systems Assurance

In the APP development process, information assets and risk management are quite important, but in fact, many companies have no testers or have non-professional testers. To save money, most companies are only focusing on the development of APP instead of testing the potential risks, which might lead to crash down after the APP goes online. The current common platform is Kali Linux, which includes several types of tools for users to use, but we are not limited to this platform, we can still use other tools to make the test more complete.

Tools Features
Kali Linux Collecting information for web pages and apps,

Simulation vulnerability attack and vulnerability analysis

ApacheBench Web and APP stress test
Nessus Vulnerability analysis for the system

Table 1 – Test Tools & Features

Test Platform

FIG.1 – Kali Linux

The system comes with a toolset. The Kali Linux system has 14 types of security tools and each category has different test tools. In the following article, 1) information collection 2) stress test and 3) vulnerability will be introduced.

FIG. 2- 14 types of security tools in Kali Linux

1. Information Collection

Asset detection and information collection decide the probability you will find the security breach, therefore, the more target information is collected in the penetration testing, the better performance we can expect. To maximize the scope of the target collection and collect the information of subdomains and related domain names as much as possible are essential for our further vulnerability testing. The following is a practical example of information gathering.

Example 1 _Violent hacking of login account password

I. The information needs to be collected:

-Hostname or IP and URL to be cracked

-The distinction is https or http

-The difference between returning information when login succeeds and fails


Dnsenum for information collection in Kali Linux, and Hydra in password attack

III. Operation steps

-Using dnsenum to get the IP address of the target.

FIG. 3 – Get the Target IP Address

Hydra’s instructions

Hydra –l username –p password dictionary –t thread-vV –ip ssh

FIG. 4 – Get the Account Number and Password

Account:root  Password:584520

IV. Solution

A. Dynamic login

Set up the limitation of the login time and the times of logins. For example, the effective duration of the annotation is 5 minutes, but the actual effective duration is about 30 minutes. There are restrictions on the number of times to obtain dynamic passwords, but no protection against password brute force is prevented, and the way to crack passwords is prevented.

B. Static login

Sessions are required to authenticate the registrant’s identity. Usually, after the user completes the identity authentication, the user profile will be saved, and then a corresponding set of ids is generated. This id must be unique, so it will be processed using the uuid mechanism.

C.Double verification

Now there is also a two-factor authentication method to protect the user’s account security. For example, if you log in to your Google account, you can set up login Security. Therefore, Google will send a text message with another login password or voice password, in this way it can enhance the security of the account.

D. The high password input frequency is prohibited

When the password input error of the same source exceeds a certain value, it should notify the system administrator by email or SMS immediately.

2.Stress test

Stress testing is very important in the design and development of large systems. Stress testing can help us discover system performance and evaluate system capabilities and perform targeted performance optimizations to help us verify system stability and reliability. In addition to Kali Linux, there are the following common tools:

FIG. 5 – ApacheBench

ApacheBench can easily simulate more than 1,000 users’ concurrent users testing, and the output test results are quite clear. Also, ApacheBench is not limited to the Linux operating system, you can install it on Windows. The following is a practical example of stress testing:

Example 2 _ Stress test

I. Tool


II. Operation steps

-Find out the Apache folder location.

-Execute ab.exe.

-As shown in Figure (9), the syntax is ab –n 100 –c 10 {url}.

FIG. 6 – Execute ab.exe in the stress testing

FIG.7 – Test results of stress testing

The fields are explained as follows:

Server Software: The operating system and version of the WEB host (if the web host settings turn off this information, no)

Server Hostname: IP address of the WEB host (Hostname)

Server Port: The connection port of the WEB host (Port)

Document Path: The path portion of the test URL

Document Length: The size of the page that the test page responds to.

Concurrency Level: Number of people who are simultaneously performing stress tests

Time taken for tests: the number of seconds spent on this stress test

Complete requests: Number of requests completed (Requests)

Failed requests: Number of requests (Requests)

Write errors: the number of write failures

Total transferred: The total amount of data transferred for this stress test (including the HTTP Header data is also included)

HTML transferred: The total amount of data transferred for this stress test (only the data of the returned HTML is calculated)

Requests per second: The requests per second can be responded to

Time per request: The average time spent per request (in milliseconds)

Time per request: The average time spent per request, the average of all simultaneous connections (in milliseconds)

Transfer rate: Network transfer speed from ab to Web Server

3.Vulnerability analysis

Vulnerability analysis refers to the process of quickly locating vulnerabilities in code, clarifying the attack principle, and accurately estimating potential exploit methods and risk levels. We will use the Nessus tool, which will help system administrators search for vulnerabilities in system hosts. Users can write attack test programs according to their own methods, and let system administrators make correct corrections and protections to system hosts. To avoid being attacked by intruders, the following is the vulnerability scanning process

Example 3_Scanning the local vulnerability



II.Operation Steps

FIG. 9 – Nessus Initial Interface

  • Log in
  • Create or configure policies
  • Scanning
  • Analyze results and select configuration policies according to scanning requirements, which means vulnerability tests can be performed on targets.

FIG. 10 – Scan templates provided by Nessus

-Establish a strategy

-Named Local Vulnerability Assessment

-Target local address:

FIG.11 – Nessus establish strategy

FIG. 12 – Nessus Startup screen

FIG. 13 – Scan results

Click on the vulnerability of the machine to view the detailed vulnerability information and provide a solution.

FIG. 14 – Situation of vulnerability

The vulnerability is described as: The remote host is affected by a remote code execution vulnerability in the Remote Desktop Protocol (RDP). A remote attacker without identity verification can exploit this vulnerability to execute arbitrary code through a series of specially crafted requests, or export a PDF file to provide a solution

One-stop Solution for Security Risks

For information security, web pages and apps, the following test scenarios are available:

  1. Security check

Review internal operations to provide suggestions for improvement and improve security protection

  1. Vulnerability detection analysis

WEB host or system to do security scans, providing results and assisting with corrections

  1. Stress test

WEB stress test. To check how many people can be online at the same time and the load capacity of WEB

Common problems

  1. Does the penetration test have a standard process?

Yes, it does. The following three penetration testing standard processes developed by several open-source organizations

OWASP (Open Web Application Security Project )

OSSTMM (Open Source Security Testing Methodology Manual)

PTES ( Penetration Testing Execution Standard )

  1. Is there no problem at all after the penetration test is completed?

Due to the hacker attack methods, even if the system does not make any changes, it is difficult to ensure that the future will not be invaded by new methods. Therefore, customers are still recommended to perform tests regularly.

  1. What is the difference between penetration testing and vulnerability scanning?

Penetration testing simulates the thinking of hackers in a manual way, conducts attack tests on the system, and compares the tester’s own experience and knowledge. Vulnerability scanning uses automated tools to detect the system and identify all known risks.

Getting Started with Allion Security Risk Detection

In the virtual world, the risk of security vulnerabilities is everywhere. Allion can simulate the hacking methods to conduct security detection on various systems, evaluate their risks and provide solutions. Allion provides customized security risk detection based on user scenarios and product features. Getting started with Allion security risk detection, with our comprehensive and diverse testing methods, potential problems of your products、APP and Web will be addressed. Besides, Allion also provides testing service for IoT products, please click: Information security of IoT wireless application: Is your smart device really secure?